Blog Post

Oh Google. Of course email users expect privacy — you promised it to them

The California-based advocacy group Consumer Watchdog has this week highlighted an interesting claim emanating from Google(s goog)’s legal team, with which it is doing battle over data mining. In a motion to dismiss Consumer Watchdog’s class action lawsuit against it, Google said no email users can expect privacy.

The lawsuit is about the fact that Google scans Gmail emails for keywords, so it can better target ads at the user. Many of the plaintiffs in this class action suit are Gmail users, and Google’s argument there is that they signed up to its terms (which I’m sure they all read, right?). However, regarding those plaintiffs complaining about their emails to Gmail users being scanned and processed, Google’s lawyers said:

“The state law wiretap claims of the Non-Gmail Plaintiffs fail for similar reasons. While the non-Gmail Plaintiffs are not bound to Google’s contractual terms, they nonetheless impliedly consent to Google’s practices by virtue of the fact that all users of email must necessarily expect that their emails will be subject to automated processing.

“Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient’s [email] provider in the course of delivery. Indeed, ‘a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.’ Smith v. Maryland, 442 U.S. 735, 743-44 (1979).”

That’s some awesome reasoning right there, especially considering that the Smith case was about telephony – not, in 1979, a rich field for the kind of data-mining that Google performs on its users’ emails today.

I’m no expert in U.S./Californian privacy law (to be clear, I’m not a lawyer, period) but, while it is certainly true that email has inherent insecurities, Google’s line of argument seems to me to be problematic on several levels. For one, secure email does exist, if end-to-end encryption is in place and, crucially, if the email provider isn’t storing emails in unencrypted form so it can scrape it for keywords. Does Google stand by Consumer Watchdog’s interpretation, that “if you care about your email correspondents’ privacy don’t use Gmail”?

But where might email users have got the crazy idea that their webmail correspondence was private and secure in the first place? Perhaps from their provider’s promises, such as these examples:

And so on.

It does look like Google is trying to have its cake and eat it too. If the firm is so sure that email users would be nuts to expect privacy, perhaps it should stop promising it to them.

32 Responses to “Oh Google. Of course email users expect privacy — you promised it to them”

  1. This is not news. It’s been known for years that they do this. And by they I’m not only talking about Google which is no different form the other major email providers. I stopped using these services along time ago and switched to offshore services. I use this one but there are others as well. Everyone knows they scan emails so if you are not OK with that go with a provider that doesn’t.

  2. txpatriot

    David, I think you misconstrue google’s privacy claims to its customers.

    The “privacy” google refers to means privacy from disclosure to third parties. As per the case law (and IANAL), users have no expectation of privacy once they hand their information to a service provider. So when you hand your tax records to your CPA to do your tax return, how silly would it be to later sue him or her for actually LOOKING at those records in order to complete your return?

    As others have said, when you agree to google’s TOS, you agree to let them scan your email in order to block spam, to target advertising and for routing purposes.

  3. avonwyss

    The physical form of traditional e-mail is not a letter, but a postcard. Everyone can read the data within. Just like the postcard can be read by anyone in the post office. When you encrypt the email body, it becomes like a letter. The headers can be analyzed (the envelope), but the content is secret, and that is not going to be read easily.

    So comparing traditional e-mail with post office letters is just comparing oranges to apples. It’s obvious that all mails need to be processed for providing the services, which include routing, filtering, but also ad targetting since this is what finally pays for the “free” service. Nevertheless, the information is not shared to third parties in a way violating the user’s privacy. And that’s what the privacy statements are about.

    Even when the mail is scanned for some keywords and specific ads are then shown to a person, the service provider (and that’s not just Google, mind you) does not give out the information about who got to see the ad and even less so why it was shown.

  4. If my assistant opened my mail, scanned it for keywords, and sold that information to advertisers, that would represent something of a conflict of interest

    • avonwyss

      But hat’s not how it works. Your assistant has a pile of advertisements and after scanning your mail for keywords he or she shows you a tiny selection of matching advertisements when delivering your mail. The advertiser doesn’t know about you or your mail’s content!

      Your assistant acts as trusted party in-between, thereby protecting your privacy while delivering targeted advertisement for the advertisers.

  5. If Google can’t analyse the data, then they can’t detect that a particular email is spam or not. Since they are analyzing the emails already, why not scan a couple key words to make the ads better targeted towards the users? You are using a FREE fucking service. Get over it. That’s how Google makes money, ads. And besides, even if Google’s automated programs don’t read over your email, the government of the United States is personally reading them. Google is correct in saying that we should not expect privacy, because in this day in age privacy simply doesn’t exist. And if it does, it will be shut down by the American government before long (Lavabit).

  6. linkreincarnate

    Google is right. At least legally right. Te problem here isn’t Google but outdated laws that were shoehorned onto new technology. Look up the legal interpretation of expectation of privacy. That is one paw that needs rewriting. It guts the constitution and allows the government to intercept any communication given to a third party. The problem here is bad law.

  7. PersonABC

    Here’s what strikes me about this:

    1. GMail is supposed to act more like the post office than a Personal Assistant. Their logic is a bit faulty there.

    At the same time…

    2. When you sign up for email or any online service, you agree (per the terms) that you allow the company to use your data to serve your needs, to serve business objectives, and to comply with government regulations. That means that–of course!!!–Google and all other online companies are scanning everything you do online. In my mind, this suit holds less water because of that.

    3. What I don’t find kosher and what I didn’t anticipate signing up for is the NSA bulk data-gathering that conflicts with many constitutional rights. Yay government. =/

  8. Wilson Zorn

    Google users don’t expect privacy from Google, although it’s more nuanced than that. The expectation is the information in email will only be used to target advertisements. However, it’s clear to me that an admin at Google might look at my email at any moment; I can only hope Google has some kind of reasonable controls to prevent willy-nilly abuse of that power.

  9. Sean Smith

    If you’re not a lawyer please read the motion (not the provided out of context text) and consult a lawyer before writing abut it. You are basically doing PR work for them:

    “Consumer watchdog” are trying to make physical mail analogies apply to email, and Google’s counter argument answers to that. The point is that you can’t email analysis is needed for spam, full text word search, etc. And disallowing it basically kills innovation.

    They are deliberately lumping precedent citation text in a counter argument to a specific accusation with the lawyers words, it’s disingenuous PR hatch job from an organization famous for them

    • David Meyer

      I feel you’re missing my point – ordinary people do think of email as a physical mail replacement, and Google’s promises of privacy reinforce the idea that email can be private. I’m not saying Google should stop data-mining – it should just stop claiming that its users have privacy.

      • Frank A NYC

        It comes down to how google is defining privacy. If “ordinary people” think privacy means no one other than them and the recipient views their email then they are sadly mistaken. I have actually read the disclaimers for using google’s services and it’s pretty clear that google is “reading” every email I send or receive. Otherwise I would not get any ads and I would not have a spam filter. Are folks that naive to think they are getting something (free services) for nothing?

        • Wilson Zorn

          Exactly. I think most “ordinary users” know that Google uses algorithms to read their emails, that staff at Google might look at their email, and that if law enforcement asks Google might just hand it over.

          I’m sure there are a minority of people who really believe they can get something (total privacy and security) for nothing. But let’s use common sense: something for nothing doesn’t exist. Anyone who believes that is naive at best and willfully and stubbornly remaining ignorant at worst.

  10. What about reciepients of emails? Does it makes sense if a gmail user sends me information on TRX exercise equipment based on a verbal conversation Google ads for TRX equipment start following me around the Internet? I have never agreed to Google’s terms of service.

    That is what this is about. It is not about spam filters.

    • Wilson Zorn

      Well, to be fair, you have no control over anyone sending you email. If someone sends you an email from their place of business, for example, if in the US, that place of business had every right to interrogate the contents and may have done so.

      People seem to confuse a private service with no guarantees with the Post Office.

    • Wilson Zorn

      What came out that surprised you? The Patriot Act gives the US government authorization to perform these searches. Google has always indicated it’s complied with local laws (which includes censorship laws in other countries). I don’t see what principle has been violated that you didn’t already agree to or weren’t subjected to by virtue of being under jurisdiction of US law.

      Don’t confuse this with me supporting such provisions of the Patriot Act. I’m simply saying we knew this it was passed.

  11. TehGoldenRule

    If Google operated in the light of day they would make a list of everything that they do with their users information. They would make it a simple list without unnecessary obfuscating words mucking it up.

    We’re all strangers to each other yet we’re all the same.

    Do you prefer that I tell you the truth or that I tell you lies? Do you prefer that I do things to you either with or without your agreement?

    No matter what culture you are in, no matter your religion, whether you’re an atheist, male or female, of whatever race or nationality, heterosexual or homosexual, we all answer the same way: truth and agreement. Each of the characteristics that make each of these groups legitimate is that they agree to their beliefs with their peers. Now you might say that there ‘beliefs’ are untrue, but their beliefs alone do not affect you, so we debate them or we walk away, smiling. What does affect you is if someone lies to you or does something to you that you don’t agree to. It is not up to any group to attempt to control what other people do in agreement with each other. We have to be able to discern between ‘functional’ truth and lies and ‘belief’ truth and lies. A ‘functional’ lie is what happens when someone steals something that does not belong to them and then says that it’s now theirs. Well, truth is, the person it was stolen from does not agree to it so the theft won’t stand, and the thief saying the thing that they stole is now theirs is a ‘functional’ lie. But if someone says that their ‘God’ is better than your ‘God’ and that your ‘God’ is a lie, how does that affect you? It doesn’t! What you view as a ‘belief’ lie is just that, so debate them or walk away, but smile.

    Cleanse your feet of all past transgressions through asking for forgiveness for your lies and trespasses, then keep your feet clean as truth guides your feet into the way of peace, eating and drinking. Be humble, you are not better than anyone else. And in truth, when you see someone in need, ask them if you can help them somehow, and if they agree, help them when and where you can. Follow through on truth.

    And if you have a goal in mind that you want to reach, if you tell the truth and only do things to other people that they agree to, then that goal will be reached and will have been built on a rock, but if you lie and do whatever you want to other people without their agreement in order to get to that goal, you are a thief and a robber and your goal will have been built on sand. When the winds and the rains come the goal built on a rock will not succomb to the elements but the goal built on sand will succomb to the elements and won’t be able to stand anymore. The path to the goal is the goal. Truth and love.

    • Wilson Zorn

      Whether you tell me truth or lies depends on the context.

      If you’re a stranger and have a low opinion of me and we have no reason for ongoing interaction, I’d strongly prefer you lied. I don’t need to hear your ill-informed criticisms, and instead strongly prefer you go by social convention and keep your ignorant misgivings to yourself in favor of platitudes.

      It’s all a matter of context.

      Regardless, so far I haven’t seen that Google’s lied or misdirected in any way in regard to the issue of its interrogation of user content.

  12. I hate opinion articles like this that throw common sense out the Window.
    Fact is Google and other providers didn’t lie. When they say they protect your privacy, they are talking about illegitimate sources.
    A boyfriend trying to access a gfs account. People in Starbucks scanning wifi packets for passwords. Hackers trying to get person info like banking info.
    And do it by the very things u linked. Use of https vice http. Requiring logging in if an IP that isn’t normally used tries to open it. Authorized computers. Etc…

    They are NOT talking about privacy from legitimate sources like the email providers themselves, law enforcement, etc..
    Most people know this on a common sense level, terms being read or not. This lawsuit is idiots trying to make a quick buck in this sue first and ask questions later society.

    The lawyers should have added “from illegitimate sources” but they are still correct.

    If you want total security, use a provider that advertises encryption and decryption at the source and destination.

  13. unbound

    Definitely a terrible argument from Google. An assistant does not read every mail that is sent to me…there are rules about what the assistant does and does not read. Furthermore, the assistant does not share the information with a bunch of other assistants in my company, much less to people outside of my organization.

    I did not turn over my information to Google anymore than I turned my information to the post office when I send a letter. It is illegal for a postal worker to open my mail, and I see zero reason based on Google’s horribly flawed argument that they should be treated any differently. The post office (like Google) is providing the service of delivering that mail to the destination…nothing more.

    So much for Google’s “Do no evil”.

  14. The point that Google is making is that in order for them to compose, route, and store your email they must read every literal bit of that email. Even if you are sending an email with an encrypted body the header still needs to read and that encrypted text needs to be read and stored, or routed. Privacy is privacy from a third party reading you email.

    • mooninaut

      I understand that people who don’t understand technology… don’t understand technology, but claiming that Google is violating user privacy by analyzing email is laughable.

      Of course Gmail analyzes every email. Have the plaintiffs ever considered how Gmail filters out spam? Clearly not, or else they would realize that spam filters weigh the contents of every new email based on how past emails were classified. That necessarily involves building up statistics of what words and phrases do and do not occur in that particular user’s wanted and unwanted incoming mail. Similar statistical analysis produces targeted ads.

      This reminds me of the early days of Internet copyright infringement lawsuits, in which courts had to adjudicate equally ridiculous questions. Such as, can an ephemeral copy of a work that exists for mere microseconds be considered a seperate instance of infringement? Can the operators of intermediate network servers be held liable? In those cases, as in this one, when an electronic communications service does exactly the things that its users tell it to, it is the users’ own damn fault, and computers cannot break the law, only people.

      So long as Gmail users’ identities are not disclosed to advertisers, there is no privacy violation.

        • zornwil

          If you provide the email service to me, tell me you’re going to scan the contents, and hold to a promise not to share the data with anyone else, yes. That’s what the post you’re reacting to said; that’s also what Google says.

      • IGotBupkis, "Faeces Evenio", Mr. Holder?

        }}} In those cases, as in this one, when an electronic communications service does exactly the things that its users tell it to, it is the users’ own damn fault, and computers cannot break the law, only people.

        Ummm… exactly when did anyone tell them to scan the messages and assemble words and phrases from them that they can then use to sell someone an advert to me.

        I’m just curious at what point this occurred during the registration process, because I don’t recall anything that overt being said or suggested by either party — them or me…

        And I certainly didn’t suggest they should collect those words and phrases to produce a picture of me connected to my mailbox which they can use or sell to others, even if my actual name is not associated with it.

    • David Meyer

      I’m not commenting on Watchdog’s suit itself — I am aware they have a bit of a reputation (see first link) — but I have looked at the relevant part of Google’s motion to dismiss and the logic of that section is indeed questionable.

      • Steven Roussey

        Yikes, this is a naive article. Do you send credit card numbers and your social security number over email? No? Likely you know that the whole email message is send in clear plain text across the whole of the internet, read by various servers that do their store and forwarding until it reaches the right server which reads it to know where to send it, and stores it there, usually in plain text waiting for whomever to read it. Not like http at all, other than the plain text part.

        The articles quoted talk about securing against unaffiliated third parties after the fact.

        But if you think that email is secure, and Google is “trying to have its cake and eat it too” then by all means don’t use GMail, and feel secure in emailing your SSN, passwords, and credit cards numbers.

    • HacerLaPelotaAlGoog

      And yet you are the one completely missing the point the article is raising.

      What game are *you* playing? World’s biggest Google apologist?